[Cialug] apache security question

chris chris at ia.gov
Wed Jul 2 13:54:41 CDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Weis wrote:
|
| Yes, that works, we've got a bunch of other files in the same directory
| that download file also.
|
| Josh More wrote:
|> If you rename the extension to .html, can you download it?  If so, look
|> at the allowable file types.
|>


Something else to be aware of that may be/have been biting you.  When you have selinux enabled and create files in some
directory outside of your web root, the files inherit the security context of the parent directories.  If you then move
the file into your webroot, it may give a 403 on access by the httpd process.  If the file is created inside the webroot
it will inherit the correct context and serve up ok.  Centos > 4.x has selinux enabled by default I think.

Looking at Josh's credentials my guess is he could lend more insight into this behavior.  I am only aware of it from
bumping into the 403 issue many times on #apache with the distros that use selinux by default.  My description above was
based on observation and not from the documentation so I may not have a complete grasp on what all happens to cause the
403's.  I just know how we've worked around the issues when they have come up.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhrzvEACgkQvajVK7YH7O43sACggDHE86QbcQljRvCM2s1gqJYU
BHYAnijCUbX0jwM2VxBwTqtbY9a+9JGh
=h9Bn
-----END PGP SIGNATURE-----


More information about the Cialug mailing list